Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
A Framework for Security Analysis of Mobile Wireless
Networks
Sebastian Nanz Chris Hankin
Department of Computing
Imperial College London, UK
{nanz,clh}@doc.ic.ac.uk
17th October 2005
Abstract
We present a framework for specification and security analysis of communication
protocols for mobile wireless networks. This setting introduces new challenges which
are not being addressed by classical protocol analysis techniques. The main complica-
tion stems from the fact that the actions of intermediate nodes and their connectivity
can no longer be abstracted into a single unstructured adversarial environment as
they form an inherent part of the system’s security. In order to model this scenario
faithfully, we present a broadcast calculus which makes a clear distinction between
the protocol processes and the network’s connectivity graph, which may change inde-
pendently from protocol actions. We identify a property characterising an important
aspect of security in this setting and express it using behavioural equivalences of the
calculus. We complement this approach with a control flow analysis which enables us
to automatically check this property on a given network and attacker specification.
1 Introduction
In classical cellular wireless networking, devices connect to a dedicated base station provid-
ing services such as Internet access. Considering the threats implied in using the wireless
medium, security has always been a natural concern in this setting. In order to increase
convenience and mobility of users even further, much research effort has been spent in re-
cent years on the development of protocols for networks operating without central control
components so that nodes connect directly to each other and forward messages over mul-
tiple hops. This networking paradigm is dubbed “mobile ad-hoc networking” and some
of the proposed protocols have been standardised by the IETF or are in the process of
standardisation.
1
Security is again a major concern in this new setting, however the added complexity
asks for new security models and properties which do not yet seem to be well-understood.
For example, the signature mechanism of the “secure” routing protocol extension SAODV
[10] clearly strives for the authentication of endpoint nodes of a yet to be established
routing path. However, the task of any routing protocol is to discover and maintain paths
between communication partners in a network, and this service itself should be secured.
As SAODV’s authentication property does not imply statements about paths, it is unclear
how the securing of the service is to be achieved. Indeed we will show in this paper that
the protocol is insecure in this respect.
To ensure the correctness of any protocol, formal modelling and analysis techniques
are to be employed. This approach has proved to be successful with security protocols
for properties like authentication and confidentiality, and a multitude of effective frame-
works have been proposed, e.g. [6, 20, 2, 9] to name only a few. The above example
reveals however, that these formalisms cannot be applied in this new setting because they
are designed for endpoint properties. The goal of this paper is to present a framework,
based on a broadcast calculus and static analysis, which allows mobile wireless networks
and their security to be formally described and analysed. In the following, we review
some of the characteristics of mobile ad-hoc networking, summarise related work and our
contributions, and give an overview of the structure of this paper.
1.1 Background: Mobile Ad-Hoc Networks
Mobile ad-hoc networks consist of mobile devices communicating via wireless transmission.
Nodes cooperate by relaying messages to distant partners, thus eliminating the need for
any pre-installed infrastructure and overcoming the limitations of their respective radio
transmission ranges. In order to achieve this behaviour, multiple protocols have to work
together. Their design is carried out within a layered architecture, so that protocols on
higher layers can abstract from functionality supplied by those beneath. For mobile ad-hoc
networks, the network layer is critical as routing is the central issue.
Routing comprises two complementary tasks, route discovery and route maintenance.
For route discovery, a node usually floods the network with a route request message which
is rebroadcast over and over by intermediate nodes until the destination node is found and
can acknowledge. Found routes are kept in routing tables for later use. Route maintenance
tries on the other hand to repair routes (by finding alternatives) whenever a link between
nodes on a route breaks. Broken links are considered to occur frequently, as nodes are free
to move about.
Routing protocols are further distinguished into proactive (nodes constantly try to
update their routing tables according to the changing network topology) and on-demand
2
(routes are only requested if they are needed), with the proactive approach seen as less
advantageous because it produces a greater routing overhead on the network. Protocols
under standardisation at the IETF include Ad-hoc On-demand Distance Vector (AODV)
routing [21] and Dynamic Source Routing (DSR) [13], both on-demand protocols. These
are developed for a non-adversarial setting only, and security extensions such as SAODV
[11], Ariadne [12], and ARAN [25] have been proposed to secure the routing effort.
To summarise, main characteristics of mobile ad-hoc networks include the following
and clarify the issues any modelling formalism for this setting has to address:
Internal states. Nodes are not memoryless but store information in routing tables with
impact on future actions.
Broadcast communication. Routing protocols rely on broadcast as the main mode of
communication, together with some notion of locality: only adjacent nodes receive
the initial broadcast message.
Connectivity. Connectivity of nodes is a separate parameter to the system and protocols
promise to give correct results for any value of this parameter.
Dynamic environment. The connectivity undergoes constant changes as the result of link
failures.
1.2 Related Work
There are not many works on bringing together the development of protocols for mobile
ad-hoc networks with formal modelling and security analysis (our own preliminary studies
are [14, 15]). Related work is thus to be found mainly in the separate areas of process
algebra, protocol analysis, and non-formal security analysis for mobile ad-hoc networks.
In the realm of process algebra, broadcast calculi and calculi with security objectives
are most closely related to our work. The Calculus of Broadcasting Systems (CBS) [23] is
the first calculus to have broadcast as communication primitive, and is a direct ancestor
of our calculus. As a main difference to our approach, all processes receive a broadcast
message at once, whereas we emphasise the necessity of a notion of local broadcast in
which only adjacent nodes can directly receive a transmitted message. The bπ-calculus
[8] equips the π-calculus with a broadcast paradigm such that only nodes listening on the
right channel will receive a broadcast. While this seems to come closer to a notion of
local broadcast, it remains complicated to change a once established connectivity (which
is straightforward in our calculus). The spi calculus [2] was the first calculus to include
explicit cryptographic primitives. Our approach follows however more closely the applied
pi calculus [1] which allow functions as term constructors and uses them to model cryp-
tography.
3
Model checking has been used to analyse traditional security protocols specified in a
process algebra framework [24]. Static analysis techniques for the same task have been
employed by [4] and stimulated our own approach. [3, 28, 7, 27] have used model checking
to discover flaws in routing protocols for mobile ad-hoc networks, but consider only safety
problems.
Work on the security of mobile ad-hoc networks includes [11, 12, 25], who propose
secure protocols or protocol extensions and informally consider attacks and desired prop-
erties.
1.3 Contributions
Our main contributions can be summarised as follows:
Definition of the calculus CBS# for the faithful formalisation of protocols for mobile
wireless networks. Its main novelties include: local broadcast as main communication
model; separation of process connectivity (represented by graphs on locations) and
process actions; explicit notion of a computational entity as a pair of process and
private store at some location.
The definition of topology consistency as a building block for routing security, for-
malised using the notion of mediated process equivalence which focuses on identifying
processes only with respect to their capabilities to store items.
A static analysis to overapproximate actions of a finite network of nodes specified in
CBS#, which can be used to automatically derive the topology consistency condition.
1.4 Overview of the Paper
In Section 2, the syntax and operational semantics of the calculus CBS# are defined and
we present related behavioural equivalences. Section 3 presents a Control Flow Analysis
on terms of our calculus to yield an overapproximation of the sets of terms transmitted
and stored in a network. We prove the analysis correct with respect to the operational
semantics of the calculus and give notes about our implementation of the analysis. In
Section 4, we analyse the security needs of mobile wireless networks and compare them
with classical security protocols. We specify SAODV-basic, a simplified version of SAODV,
as a worked example of protocol modelling in CBS#. We formalise topology consistency
as an important property in the setting of routing protocols and apply our analysis to
show that SAODV-basic violates this property. We conclude with notes on future work in
Section 5.
4
2 The Calculus CBS#
In this section we present CBS#, a process calculus for modelling mobile wireless networks.
It inherits broadcast as the base communication paradigm from the Calculus of Broadcast-
ing Systems (CBS) [23], with the important difference that sent messages are not received
globally, but only by adjacent neighbours of the sending node. The notion of adjacency is
made explicit by the concept of a connectivity graph, which effectively separates process
actions from process connectivity. This separation is essential for modelling mobile wire-
less networks since the possibility of a connection is determined by environment conditions
such as node movement, but never by process actions.
For security modelling, we develop notions of behavioural equivalences of networks,
much in the style of the spi calculus [2]. However, security will be determined by the tense
relation between the actual environment conditions and what nodes believe about their
environment (see later Section 4.3). The belief of the nodes can be expressed in CBS# by
modelling routing tables using the notion of a private store, and the notion of mediated
equivalence focuses on identifying networks by their storage capabilities.
2.1 Syntax and Informal Semantics
The syntax of CBS# is given in Table 1.
Terms. Let N denote a countable set of names, X a countable set of variables, and Fa finite set of function symbols together with a function arity : F → N to yield the arity
of a function symbol. The set of terms T consists of names n ∈ N , variables x ∈ X , and
function applications F(T1, . . . , Tk) where Ti ∈ T, F ∈ F and arity(F) = k.
We write T to abbreviate a finite sequence of terms T1, . . . , Tk for some k ∈ N, and use
the function | . | to denote its arity, |T | = k. Function fv yields the set of free variables
of a term, process, or node. A free variable x can be replaced with a term U by the
substitution [U/x]. We write [U/x] and [Ui/xi]ki=1 to denote the sequence of substitutions
[U1/x1] . . . [Uk/xk]. Free names can be substituted by other names analogously.
Processes. The set of processes P is inductively defined as follows: The terminated
process is represented by nil. The sending of a ground term T is denoted by out T.P , with
P as the continuation process. The sending mode is local broadcast, i.e. only adjacent
nodes may receive the transmission, where adjacency is defined below via the notion of
connectivity graphs. The action in x.P expresses readiness to receive a ground term T
and bind it to x.
The action store T.P denotes storage of a ground term T in a private store S introduced
below. Terms are retrieved from the store by the action read x.P which binds a random
term T ∈ S to x.
5
Terms
T ::= n names, n ∈ N| x variables, x ∈ X| F(T ) function application, F ∈ F
Processes
P ::= nil termination
| out T.P sending
| in x.P reception
| store T.P storage
| read x.P retrieval
| case T of F(T ; x) P1 else P2 case distinction, F ∈ F| A(T ) constant
| P1 | P2 parallel composition
Stores
S ::= {T} singleton
| S1 ∪ S2 union
Networks
N ::= n[P, S] node, n ∈ Nloc ⊆ N| N1 ‖ N2 parallel composition
Table 1: Syntax of CBS#
The action for case distinction case T of F(T ; x) P1 else P2 tries to match a term T
with the term F(T ; x) and continues on success with P1 in which variables x are bound,
or otherwise with P2. In order to match, T has to be of the form F(T , U) with |U | = |x|.Constants can be defined as A(U) def= P , where fv(P ) ⊆ U . Definitions are then invoked by
A(T ). Processes can be executed in parallel, written as P1 | P2. Multiple parallel actions
are abbreviated by |i∈I Pi.
Stores. Stores are non-empty sets of terms. The usual set operations such as element
∈ are defined for them. They are defined non-empty to prevent the read operation from
getting stuck. An initialisation of stores which is always suitable can be achieved by
requiring ε ∈ S, where ε is the empty function which matches with no other term. Unless
otherwise specified, we will assume this initialisation.
6
Networks. Networks N ∈ N consist of nodes which are written as n[P, S] and denote a
computational entity of a network: a pair of a process P and a private store S at some
location n. Locations are contained in the set Nloc ⊆ N and make it possible to identify
nodes. For a network N we define V (N) to yield the set of all locations (vertices) in N .
Networks can be composed in parallel by N1 ‖ N2, where again multiple composition can
be written ‖i∈I Ni.
2.2 Operational Semantics
2.2.1 Connectivity Graphs and Network Topologies
A graph is a pair G = (V,E) of sets satisfying E ⊆ V × V . V is called the set of vertices
and is referred to as V (G), and E or E(G) is the set of edges. We do not allow self-loops,
i.e. (n, n′) ∈ E(G) implies n 6= n′.
A connectivity graph G is a graph whose vertex set is a subset of Nloc . Connectivity
graphs are used to describe the connections between nodes for a particular moment in
time. G is said to be admissible on a network N iff V (N) ⊆ V (G).
A network topology T is a collection of connectivity graphs. The network topology is
used to implicitly describe connectivity properties which remain invariant over time, for
example if a certain link always or never exists. T is said to be admissible on a network
N iff all G ∈ T are. In the following we will assume that all examined connectivity graphs
and network topologies are admissible on their respective networks. The maximal network
topology Tmax contains all graphs on Nloc .
2.2.2 Transition Relations
The operational semantics of the calculus is defined by the following transition relations:
N(U,m)]−−−−→G N ′ Labelled transition relation
N → N ′ Reduction relation
N ≡ N ′ Structural equivalence
Labelled transition relation. N(U,m)]−−−−→G N ′ describes the evolution of a network N
to a network N ′ during transmission of a term and abiding by the connectivity graph G.
The label (U,m)] shows the transmitted (variable-free) term U and the location name
m ∈ Nloc of its sender, as well as a mode identifier ] ∈ {!, ?, :}. The pair (U,m) is called
the message. The different modes denote sending (U,m)!, receiving (U,m)?, and losing
(U,m): a message. Mode identifiers ]1 and ]2 can be composed according to the following
7
algebra:◦ ! ? :
! ⊥ ! !
? ! ? ?
: ! ? :
Here, ⊥ expresses that two sending actions cannot be combined within one derivation.
The relation(U,m)]−−−−→G describes network evolution under the sending of one message
(U,m) under G. The sending of k messages is serialised in the sense that k derivations for
a sequence of connectivity graphs G1, . . . , Gk have to be found:
N(U1,m1)!−−−−−→G1 N1
(U2,m2)!−−−−−→G2 N2 · · ·(Uk,mk)!−−−−−→Gk
N ′
Note that this means that there will never be clashes of messages, but sending remains
globally asynchronous.
In order to ensure that changes in connectivity are in agreement with the network
topology, we define the following:
Definition 2.1 (T -Faithfulness) The relation(U,m)]−−−−→G is called T -faithful iff G ∈ T ,
and we write(U,m)]−−−−→G∈T to emphasise this fact. The reflexive, transitive closure of T -
faithful relations is denoted −→∗T .
After this overview, we can now proceed to the rules for the communication transition
relation which are given in Table 2.
Rule Nil expresses that the node running the nil process n[nil, S] loses any message
(U,m). Rules Out1 and Out2 describe the behaviour of a sender n[out T.P, S]. Such
a node loses incoming messages (U,m) and evolves to n[P, S] when broadcasting its own
message. In the latter case, the transition arrow is labelled with (T, n)!, showing the
transmitted term T and the location of the sender n.
There are two rules for a receiver n[in x.P, S] which are distinguished by the properties
of the connectivity graph G. According to rule In1, the message (U,m) is received if there
is an edge in G between location m, the sender of the message, and the current node’s
location n. In this case the variable x gets bound to U so that the continuation process is
P [U/x]. If however (m,n) /∈ E(G), any message will be discarded by rule In2.
The rule for parallelism PPar makes use of the algebra for the composition ◦ of ]1, ]2 ∈{!, ?, :} as defined above. This is essential for the working of the broadcast modelling, as it
makes sure that every subprocess running at every node in the network will decide about
receiving or discarding a particular message. It is ensured that at most one process is
sending by requiring ]1 ◦ ]2 6= ⊥ (note ! ◦ ! = ⊥) and by the property “]1 ◦ ]2 ∈ {?, :} ⇒]1, ]2 6= !” of the algebra.
8
Nil n[nil, S](U,m):−−−−→G n[nil, S]
Out1 n[out T.P, S](T,n)!−−−→G n[P, S]
Out2 n[out T.P, S](U,m):−−−−→G n[out T.P, S]
In1(m,n) ∈ E(G)
n[in x.P, S](U,m)?−−−−→G n[P [U/x], S]
In2(m,n) /∈ E(G)
n[in x.P, S](U,m):−−−−→G n[in x.P, S]
PParN1
(U,m)]1−−−−−→G N ′1 N2
(U,m)]2−−−−−→G N ′2
N1 ‖ N2(U,m)(]1◦]2)−−−−−−−−→G N ′
1 ‖ N ′2
where ]1 ◦ ]2 6= ⊥
StructN ≡ M M
(U,m)]−−−−→G M ′ M ′ ≡ N ′
N(U,m)]−−−−→G N ′
Table 2: Labelled transition relation
Example 2.2 Let three nodes be defined as follows
N1 = n1[out T.nil, S1]
N2 = n2[in x.nil, S2]
N3 = n3[in x.nil, S3].
and let E(G1) = {(n1, n2)}. Then the network consisting of the parallel composition of
the nodes can evolve according to the derivation below.
N1(T,n1)!−−−−→G1 n1[nil, S1]
N2(T,n1)?−−−−→G n2[nil, S2] N3
(T,n1):−−−−→G1 N3
N2 ‖ N3(T,n1)?−−−−→G1 n2[nil, S2] ‖ N3
N1 ‖ N2 ‖ N3(T,n1)!−−−−→G1 n1[nil, S1] ‖ n2[nil, S2] ‖ N3
If furthermore E(G2) = {(n1, n3)} and T = {G1, G2} then we can conclude that
the final configuration will either be n1[nil, S1] ‖ n2[in x.nil, S2] ‖ n3[nil, S3] or
n1[nil, S1] ‖ n2[nil, S2] ‖ n3[in x.nil, S3].
Reduction relation. We display rules for the reduction relation in Table 3.
In rule Store, n[store T.P, S] adds a term T to the store S. Rule Read for retrieval
n[read x.P, S] binds a random term T ∈ S to x in P . In the rules for case distinction,
9
Store n[store T.P, S] → n[P, S ∪ {T}]
ReadT ∈ S
n[read x.P, S] → n[P [T/x], S]
Case1T = F(T , U) |U | = |x|
n[case T of F(T ; x) P1 else P2, S] → n[P1[U/x], S]
Case2@ U . T = F(T , U) ∧ |U | = |x|
n[case T of F(T ; x) P1 else P2, S] → n[P2, S]
ConstA(U) def= P n[P [T /U ], S] → n[P ′, S′]
n[A(T ), S] → n[P ′, S′]
Table 3: Reduction relation
the term T is matched against a template F(T ; x). In rule Case1, if T is of the form
F(T , U) and |U | = |x|, the continuation binds the terms U against the variables x to yield
n[P1[U/x], S]. Otherwise, rule Case2 demands P2 as continuation process. Constants
n[A(T ), S] get expanded whenever necessary as shown in rule Const. We assume though
that possible recursive appearances A(T ′) imply T = T ′. This means that we limit infinite
behaviour to replication which is important for the safety of our analysis in Section 3.
Example 2.3 Assume the following definition:
N = n[case T of Env(n;x) store x.nil else nil, S]
For T = Env(n;Msg), an envelope addressed to n with contents Msg , we have the following
derivation:
N → n[store Msg .nil, S] → n[nil, S ∪ {Msg}]
For T = Env(m;Msg) we would however get n[nil, S] as final configuration, since n 6= m.
Structural equivalence. The rules of the structural equivalence on nodes are shown in
Table 4.
Rules Comm through Trans are standard. We regard networks as structurally equiv-
alent, if one of them can be reduced to the other, as shown in rule Red. Rule Par says
that parallel processes are equivalent to parallel nodes running these processes, and stores
can be partitioned arbitrarily.
10
Example 2.4 We have the following equivalences, where the second holds because of Red
and Store, the other two because of Par.
n[store T.nil | in x.nil, S] ≡ n[store T.nil, S] ‖ n[in x.nil, S] ≡≡ n[nil, S ∪ {T}] ‖ n[in x.nil, S] ≡ n[nil | in x.nil, S ∪ {T}]
2.3 Notational Conventions and Cryptographic Primitives
For the specification of even moderately large protocols such as SAODV-basic in Sec-
tion 4.2, clarity and readability of the formalisation are imperative. For this reason, we
have opted for keywords such as in and read rather than just symbols which are favoured
by other calculi. We also use line breaks and indentation as exemplified in Table 8, and
we omit a trailing nil whenever no confusion arises. In this section we show some more
notational conventions and show a way to model cryptographic primitives in CBS#.
Notation. If the equality of terms is to be checked, the full power of the matching
mechanism of the case statement is not needed and a simpler representation is desirable.
This can be done with the following encoding which uses the special function Match to
allow arbitrary terms T and U , since case can only match terms which a function has been
applied to.if T = U then P1 else P2 ≡
case Match(T ) of Match(U ; ) P1 else P2
If in and read are directly followed by a case distinction on their input variable, we use the
following simplified notation.
in F(T ; x).P ≡in x.case x of F(T ; x) P else nil
read F(T ; x) P1 else P2 ≡read x.case x of F(T ; x) P1 else P2
Cryptographic Primitives. In order to express public-key digital signatures we use
key pairs (PubKey(seed),PrivKey(seed)) created from the same seed by applying functions
PubKey and PrivKey. A signature of term T under private key PrivKey(seed) then simply
corresponds to applying the function Sign to yield Sign(PrivKey(seed), T ). Checking of
the signature amounts to verifying that the seeds of the known public key and the private
key used for the encryptions are the same, and that the right term T has been signed.
As shown in the following definition, this procedure can be completely hidden in the
protocol specification by definition of the action checksig, where seed is a fresh variable,
11
Comm N1 ‖ N2 ≡ N2 ‖ N1
Assoc N1 ‖ (N2 ‖ N3) ≡ (N1 ‖ N2) ‖ N3
Refl N ≡ N
Sym N ′ ≡ NN ≡ N ′
Trans N ≡ N ′′ N ′′ ≡ N ′
N ≡ N ′
ComposeN1 ≡ N ′
1
N1 ‖ N2 ≡ N ′1 ‖ N2
Red N → N ′
N ≡ N ′
Par n[P1 | P2, S1 ∪ S2] ≡ n[P1, S1] ‖ n[P2, S2]
Table 4: Structural equivalence
seed /∈ fv(P1) ∪ fv(P2).
checksig sig pubkey T P1 else P2 ≡case pubkey of PubKey(; seed)
case sig of Sign(PrivKey(seed), T ; ) P1 else P2
else
P2
This style of specification can be applied analogously to asymmetric encryption and, sim-
pler, symmetric encryption as is shown with the following definitions.
asymdec msg privkey x P1 else P2 ≡case privkey of PrivKey(; seed)
case msg of AsymEnc(PubKey(seed);x) P1 else P2
else
P2
symdec msg SymKey(seed) x P1 else P2 ≡case msg of SymEnc(SymKey(seed);x) P1 else P2
For a Dolev-Yao style attacker specification, one will then equip the attacker with
asymdecrypt and symdecrypt and the ability to apply the functions Sign, AsymEnc, and
SymEnc, but not the functions PrivKey and SymKey.
12
2.4 Behavioural Equivalences
In this section, we define several notions of equivalences for networks.
Definition 2.5 (T -Bisimilarity) The relation S is called a T -simulation if N SM im-
plies: whenever N(U,m)]−−−−→G∈T N ′ then, for some M ′, M
(U,m)]−−−−→G∈T M ′ and N ′ SM ′. Sis called a T -bisimulation if both S and its converse are T -simulations. T -bisimilarity,
written ∼T , is the largest T -bisimulation.
T -bisimilarity allows for reasoning about networks on specific topologies as the follow-
ing two examples show.
Example 2.6 The following propositions are proved by defining a set S ⊆ N × N and
proving that it is a T -bisimulation.
(1) Let T be a network topology isolating n, i.e. ∀ G ∈ T . @ m. (m,n) ∈ E(G). Then,
n[in x.P, S] ∼T n[nil, S].
(2) If G ∈ T implies (n, m) ∈ E(G) ⇔ (n′,m) ∈ E(G) for all m ∈ V (G), then
n[in x.nil, S] ‖ n′[in x.nil, S] ∼T n[in x.nil, S].
Proof. (1) Let S = {(n[in x.P, S], n[nil, S])}. Since n is isolated, In2 is the only rule
applicable to n[in x.P, S] and n[in x.P, S](U,m):−−−−→G∈T n[in x.P, S] is the only derivation
we can assume. n[nil, S] can simulate this with Nil: n[nil, S](U,m):−−−−→G∈T n[nil, S]. The
converse direction is analogous.
(2) Take S = {P ∈ {in x.nil, nil} : (n[P, S] ‖ n′[P, S], n[P, S])}. 2
If networks are sought to be equivalent on any given network topology, one has to
resort to the following definition.
Definition 2.7 (Bisimilarity) Networks N and M are said to be bisimilar, written N ∼M , if they are Tmax-bisimilar.
Recall from Section 2.2 that Tmax contains all graphs on Nloc .
The examples show that terminated nodes or nodes which no longer interact with the
environment are insignificant with respect to network interaction.
Example 2.8
(1) n[nil, {ε}] ‖ N ∼ N
(2) If n /∈ V (N) then n[nil, S] ‖ N ∼ N .
13
Barb-Empty N ↓n ε
Barb-Store n[store T.P, S] ↓n T
Barb-StructN ≡ N ′ N ′ ↓n U
N ↓n U
Barb-PParN ↓n U
N ‖ M ↓n U
Table 5: Barb predicate
(3) n[read x.nil, S] ∼ n[nil, S′]
(4) n[store T.nil, S] ∼ n[nil, S′]
(5) n[nil, S] ∼ n′[nil, S′]
Again, these propositions are proved by finding an appropriate T -bisimulation S in each
case. Note for (2) that n /∈ V (N) prevents N from acquiring yet unknown terms from S
which could be sent and thus distinguish the networks.
The presented notion of bisimilarity distinguishes networks by their communication
capabilities.
Whenever a node n transmits (T, n)!, a node with the same name n in the corre-
sponding network is also ready to transmit (T, n)!.
Whenever one or more nodes receive (U,m)?, one or more nodes in the corresponding
network are also ready to receive (U,m)?.
Whenever the complete network refuses a message (U,m):, all the nodes of the
corresponding network refuse as well.
Internal actions such as storage and retrieval are ignored as long as they do not interfere
with the communication capabilities, as shown in Example 2.8 (3) and (4). However,
n[store T.P, S] � n[P, S] for arbitrary P if T /∈ S, since (T, n)! can distinguish them.
In order to distinguish networks by their capability to store terms, without having
to rely on the existence of distinguishing communication actions, we define a barbed
equivalence. The barb predicate N ↓n U (defined in Table 5) holds if N can “immediately”
store term U at location n, i.e. without requiring another network interaction.
Definition 2.9 (Barbed Equivalence) A Tmax-simulation S is called a barbed simula-
tion if N SM implies for each barb U and all n ∈ V (N)∩V (M): if N ↓n U then M ↓n U .
14
Conv-BarbN ↓n U
N ⇓Tn U
Conv-CommN
m!−→G∈T N ′ N ′ ⇓Tn U
N ⇓Tn U
Table 6: Convergence predicate
S is called a barbed bisimulation if both S and its converse are barbed simulations. Barbed
equivalence, written •∼, is the largest barbed bisimulation.
As the following example shows, barbed equivalence will distinguish some networks
which before were identified by bisimilarity.
Example 2.10 n[store T.nil, S] •� n[nil, S′]
More generally, the following results can be checked by examining the definitions of the
equivalences:
Theorem 2.11
(1) N ∼ M implies N ∼T M for any T .
(2) N •∼ M implies N ∼ M .
Proof. (1) Fix a topology T and assume N ∼ M . By definition of bisimilarity, there exists
a Tmax-bisimulation S such that if N SM and N(U,m)]−−−−→G∈Tmax N ′ then, for some M ′,
M(U,m)]−−−−→G∈T M ′ and N ′ SM ′. Because T ⊆ Tmax, S is also a T -bisimulation.
(2) By definition, barbed equivalence provides a Tmax-bisimulation S. 2
However, it turns out that barbed equivalence is too fine-grained to be useful for
security analysis. This is because the desired security property (defined later in Section 4.3)
only regards storage actions as crucial for security because they describe a long-term
commitment of a node (an item put in a routing table will be used again and again);
it does not matter on the other hand which messages are transmitted on the network
(a secure protocol will just discard forged messages). For this the convergence predicate
N ⇓Tn U is defined and holds if N will eventually store U (possibly after some interactions
under network topology T ) at location n.
The convergence predicate then gives rise to the desired notion of equivalence:
Definition 2.12 (Mediated Equivalence) For given topology T and function c : T →T, called a mediator, we write N vc
T M if for any term U and for all n ∈ V (N) ∩ V (M):
N ⇓Tn U implies M ⇓Tn c(U). Mediated equivalence, written 'cT , is then defined as:
N 'cT M iff N vc
T M and M vcT N .
15
The mediator c : T → T is needed because the storage of some terms can be considered
secure. It is used to fine-tune the equivalence to the respective protocol specification. The
next example illustrates this.
Example 2.13 Let a mediator cS and two networks N and M(U) be defined as follows.
cS(U) =
{ε if U = Tsec
U otherwise
Ndef= n[in x.store x.nil, S]
M(U) def= m[out U.nil, S′]
Then, the following holds because N ⇓Tn cS(Tsec):
N ‖ M(Tsec) 'cST N
However, the same is not true if the “secure” term Tsec is replaced by any other term
Tattack .
Finally, the following theorem turns out to be helpful, and can be directly proved from
the definition of vcT and rule PPar:
Theorem 2.14 For all networks N , M and mediators c with c(U) ∈ {ε, U} for all U , the
following holds:
N vcT N ‖ M
Proof. By definition of vcT , where we note that V (N) ∩ V (N ‖ M) = V (N), we have to
show the following result:
∀ U. ∀ n ∈ V (N). N ⇓Tn U ⇒ N ‖ M ⇓Tn c(U)
If c(U) = ε, we can show N ‖ M ⇓Tn c(U) to hold directly with Conv-Barb and
Barb-Empty.
Fix thus U 6= ε and n ∈ V (N), and assume N ⇓Tn U . By induction on the shape of
the derivation tree for N ⇓Tn U (only examination of Conv-Comm and Conv-Barb are
required) we know that there exists N ′ such that N −→∗T N ′ and N ′ ↓n U (∗).
We show the following auxiliary result by induction on the length of the derivation
sequence for N ′:
N −→kT N ′ ⇒ ∃ M. N ‖ M −→k
T N ′ ‖ M ′
For k = 0 the result holds vacuously. We assume that N −→k+1T N ′, which can be
written as N −→kT N ′′ (U,m)!−−−−→G∈T N ′. By induction hypothesis, there exists M ′′ such
that N ‖ M −→kT N ′′ ‖ M ′′. By structural induction on M ′′, it can be shown that
there exists M ′ such that M ′′ (U,m)\−−−−→G∈T M ′ for either \ = ? or \ = :. Using PPar on
N ′′ (U,m)!−−−−→G∈T N ′ and M ′′ (U,m)\−−−−→G∈T M ′ we can establish the auxiliary result.
16
To establish the main result, take M ′ such that N ‖ M −→∗T N ′ ‖ M ′ (∗∗), where M ′
exists because of the auxiliary result. From (∗) and Barb-PPar we have N ′ ‖ M ′ ↓n U ,
and with Conv-Barb also N ′ ‖ M ′ ⇓Tn U . By finitely many applications of Conv-Comm
on (∗∗) we have N ‖ M ⇓Tn U . 2
3 Control Flow Analysis
Control Flow Analysis is a program analysis technique to statically predict safe and com-
putable approximations to the sets of values which may arise during program execution.
While this technique was originally developed for functional languages [26], it has since
then been applied to a variety of programming paradigms, including calculi for concurrency
and security [5, 4].
The result of our analysis for a network N yields an overapproximation of
(1) the set of terms which may be transmitted in N , together with their senders, and
(2) the set of terms which may be stored in N , together with the location of the storage.
This will enable us later (Section 4) to automatically check whether networks are mediated
equivalent and prove a security property for network protocols specified in CBS#.
In this section, we will first describe a static abstraction of the network topology T ,
an important step to limit the state space arising from network execution. While our
abstraction is simple, it retains the important properties we need for our security analysis.
We then specify and describe our analysis and prove its semantic correctness by a subject
reduction theorem and two corollaries relating the network actions sending and storage to
our analysis result. We conclude with a brief overview of our implementation.
3.1 Topology Abstractions
The evolution of a network N to a network N ′, formally expressed as N −→∗T N ′, implies
that there is a sequence of graphs G1, G2, . . . , Gk ∈ T such that
N(U1,m1)!−−−−−→G1 N1
(U2,m2)!−−−−−→G2 N2 · · ·(Uk,mk)!−−−−−→Gk
N ′
and the graphs influence these derivations via rules In1 and In2. Thus, in order to overap-
proximate behaviour which might arise in the network, all possible links between senders
and receivers have to be considered. Rather than considering all G ∈ T at any given step
which would render infeasible the computation of the analysis, we can thus be safe by
defining a static abstraction G(T ) for T in the following way:
G(T ) = (⋃
G∈T V (G),⋃
G∈T E(G))
17
This means that an abstract network topology G(T ) is again a connectivity graph, and
contains all G ∈ T as subgraphs. It also ensures that an analysis over the abstract
network topology will enable rule In1 whenever a G ∈ T would have done it, since
(m, n) ∈ E(G(T )) iff ∃ G ∈ T . (m,n) ∈ E(G). (1)
On the other hand, the analysis will always be safe with respect to rule In2 because In2
does not lead to the execution of an action.
3.2 Specification
We specify the analysis by a flow logic [19, 17], which is an approach to static analysis
that separates the specification of the acceptability of an analysis estimate from its com-
putation. A flow logic specification consists of rules defining a judgement which expresses
the relation of estimates and program fragments. The rules have to be interpreted co-
inductively in the sense that an estimate is acceptable if it does not violate the conditions
outset in the rules.
In our case, we define a syntax-directed analysis with the two judgements to range
over the different syntactic categories:
(κ, σ) �C,θG(T ),n P judgement for processes
(κ, σ) �CG(T ) N judgement for networks
Both judgements are parameterised with a recursion environment C, which is used to
ensure termination of the analysis in presence of recursive appearances of constants. The
rules ensure that (A(T ), n) ∈ C for A(U) def= P whenever P is being analysed, and recursive
appearances of A(T ) are replaced by nil.
The main judgement for networks (κ, σ) �CG(T ) N reads “(κ, σ) is a valid analysis
estimate describing the behaviour of N under abstract network topology G(T )”. It is
parameterised with G(T ) and yields the following sets of values:
κ ⊆ T×Nloc network cache
σ ⊆ T×Nloc store cache
The contents of network and store cache can be intuitively described with the following
statements which hold during execution of network N .
(1) If the term T may be sent from location n, then (T, n) ∈ κ.
(2) If the term T may be stored at location n, then (T, n) ∈ σ.
The judgement for processes (κ, σ) �C,θG(T ),n P is furthermore parameterised with the
location n at which the particular process P is running, and carries the following local
environment:
θ ⊆ T×X substitution environment
18
Judgement for Processes
CFA-Nil (κ, σ) �C,θG(T ),n nil
CFA-Out (κ, σ) �C,θG(T ),n out T.P
iff (Tθ, n) ∈ κ ∧ (κ, σ) �C,θG(T ),n P
CFA-In (κ, σ) �C,θG(T ),n in x.P
iff ∀ (U,m) ∈ κ. (m,n) ∈ E(G(T )) ⇒ (κ, σ) �C,θ[U/x]G(T ),n P
CFA-Store (κ, σ) �C,θG(T ),n store T.P
iff (Tθ, n) ∈ σ ∧ (κ, σ) �C,θG(T ),n P
CFA-Read (κ, σ) �C,θG(T ),n read x.P
iff ∀ (U, n) ∈ σ. (κ, σ) �C,θ[U/x]G(T ),n P
CFA-Case (κ, σ) �C,θG(T ),n case T of F(T1 . . . Tj ;xj+1 . . . xk) P1 else P2
iff (Tθ = F(V1 . . . Vk) ∧∧j
i=1 Tiθ = Vi ⇒ (κ, σ) �C,θ[Vi/xi]
ki=j+1
G(T ),n P1) ∧(κ, σ) �C,θ
G(T ),n P2
CFA-Const (κ, σ) �C,θG(T ),n A(T )
iff
(κ, σ) �C,θG(T ),n nil if (A(T ), n) ∈ C
(κ, σ) �C∪{(A( eT ),n)},θG(T ),n P [T /U ] if (A(T ), n) /∈ C and A(U) def= P
CFA-Par (κ, σ) �C1∪C2,θG(T ),n P1 | P2
iff (κ, σ) �C1,θG(T ),n P1 ∧ (κ, σ) �C2,θ
G(T ),n P2
Judgement for Networks
CFA-Node (κ, σ) �CG(T ) n[Pθ, S]
iff (κ, σ) �C,θG(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ
CFA-PPar (κ, σ) �C1∪C2
G(T ) N1 ‖ N2
iff (κ, σ) �C1
G(T ) N1 ∧ (κ, σ) �C2
G(T ) N2
Table 7: Control Flow Analysis for CBS#
Again intuitively, if (U, x) ∈ θ, written θ[U/x], the term U may be bound to variable x
during execution of P . The empty substitution environment is denoted ∅. The use of a
local environment allows for a more precise analysis of the case statement in our language
19
which in turn proves to be crucial for limiting the number of false positives arising from
the security analysis.
After this overview of the judgements, we turn to the formal specification of the analysis
in Table 7 and explain the rules in the following.
Judgement for networks. Rule CFA-Node says that (κ, σ) is a valid analysis result
describing the behaviour of node n[P [Ui/xi]ki=1, S] under abstract connectivity graph G(T )
iff it is also a valid analysis result for process P at n with a fresh variable environment which
only contains bindings corresponding to the substitutions [Ui/xi]ki=1 P might carry, and
all terms contained in store S are element of σ at n. Rule CFA-PPar is straightforward.
Judgement for processes. Rule CFA-Nil is straightforward. Rule CFA-Out says
that the analysis of process out T.P is achieved by the following: updating the network
cache κ with terms (Tθ, n) and computing the analysis for the continuation process P .
Rule CFA-In on the other hand looks at all terms (U,m) recorded in κ. For an edge
(m,n) ∈ E(G(T )), the local variable environment is updated at x with U and continuation
P evaluated under this new environment.
Rule CFA-Store is similar to CFA-Out. However, instead of inserting a term into
the network cache, the insertion is into the store cache σ at n, (U, n) ∈ σ. On the other
hand, rule CFA-Read resembles rule CFA-In: terms are now taken from the store cache
instead of the network cache, and the continuation P is evaluated under the updated
variable environment.
In rule CFA-Case, if Tθ is of the form F(V1 . . . Vk), it is checked that T1θ = V1 ∧. . . ∧ Tjθ = Vj , meaning that the first j arguments of F match. Then the continuation
P1 is analysed under a substitution environment which maps xi to Vi for i = j + 1, . . . , k,
meaning the remaining arguments of F are bound to the variables xi.
Rule CFA-Const says that constants are expanded and analysed once, possible re-
cursive appearances in the continuation (then contained in C) are replaced by nil. Rule
CFA-Par is straightforward.
3.3 Semantic correctness
In Section 3.2 we have informally stated what elements a valid analysis estimate (κ, σ)
will contain. The goal of this section is to formally establish these statements. As flow
logic is a semantics based approach, we prove the analysis estimate correct with respect
to the operational semantics of Section 2.2. Well-definedness and Moore family result for
the analysis are straightforward using the techniques described in [17] and therefore not
included in this report. The main result is a subject reduction theorem which is proved
in this section and states that the analysis estimate remains acceptable when the network
evolves. From this, statements about κ and σ follow directly.
20
The following lemma states auxiliary subject reduction results which hold for the
reduction relation and structural equivalence.
Lemma 3.1 For all (A(T ), n) ∈ C let (κ, σ) �C,∅G(T ),n P [T /U ] if A(U) def= P . Then the
following implications hold:
(1) if N → N ′ and (κ, σ) �CG(T ) N , then (κ, σ) �C′
G(T ) N ′, and
(2) if N ≡ N ′ and (κ, σ) �CG(T ) N , then (κ, σ) �C′
G(T ) N ′,
where C ⊆ C′ and for all (A(T ), n) ∈ C′\C we have (κ, σ) �C′,∅
G(T ),n P [T /U ] if A(U) def= P .
Proof. (1) The proof is by induction on the shape of the derivation tree for N → N ′.
Case Store. Then N = n[store T.P, S] and N ′ = n[P, S ∪ {T}].
(κ, σ) �CG(T ) n[store T.P, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n store T.P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus (T, n) ∈ σ ∧ (κ, σ) �C,∅G(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Store)
thus (κ, σ) �C,∅G(T ),n P ∧ ∀ U ∈ S ∪ {T}. (U, n) ∈ σ
thus (κ, σ) �CG(T ) n[P, S ∪ {T}] (by CFA-Node)
Case Read. Then N = n[read x.P, S] and N ′ = n[P [T/x], S]. From the preconditions of
Read we know T ∈ S (∗).
(κ, σ) �CG(T ) n[read x.P, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n read x.P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus ∀ (U, n) ∈ σ. (κ, σ) �C,[U/x]G(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Read)
thus (κ, σ) �C,[T/x]G(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ (by (∗))
thus (κ, σ) �CG(T ) n[P [T/x], S] (by CFA-Node)
Case Case1. Then N = n[case T of F(T ; x) P1 else P2, S] and N ′ = n[P1[U/x], S], where
T = F(T , U) (∗) from the preconditions of Case1 and T = T1 . . . Tj , x = xj+1 . . . xk,
U = Uj+1 . . . Uk.
(κ, σ) �CG(T ) n[case T of F(T1 . . . Tj ;xj+1 . . . xk) P1 else P2, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n case T of F(T1 . . . Tj ;xj+1 . . . xk) P1 else P2 ∧
∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus (T = F(V1 . . . Vk) ∧∧j
i=1 Ti = Vi ⇒ (κ, σ) �C,[Vi/xi]
ki=j+1
G(T ),n P1) ∧∀ U ∈ S. (U, n) ∈ σ (by CFA-Case)
thus (κ, σ) �C,[Ui/xi]
ki=j+1
G(T ),n P1 ∧ ∀ U ∈ S. (U, n) ∈ σ (by (∗))thus (κ, σ) �CG(T ) n[P1[U/x], S] (by CFA-Node)
21
Case Case2. Then N = n[case T of F(T ; x) P1 else P2, S] and N ′ = n[P2, S].
(κ, σ) �CG(T ) n[case T of F(T ; x) P1 else P2, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n case T of F(T ; x) P1 else P2 ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus (κ, σ) �C,∅G(T ),n P2 ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Case)
thus (κ, σ) �CG(T ) n[P2, S] (by CFA-Node)
Case Const. Then N = n[A(T ), S] and N ′ = n[P ′, S′].
(κ, σ) �CG(T ) n[A(T ), S] (by assumption)
thus (κ, σ) �C,∅G(T ),n A(T ) ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
We have to distinguish two subcases when applying CFA-Const:
(a) Assume (A(T ), n) ∈ C. From the preconditions of Const we have A(U) def= P and
thus (κ, σ) �C,∅G(T ),n P [T /U ] from the preconditions of the lemma. With CFA-Node we
have (κ, σ) �CG(T ) n[P [T /U ], S]. Furthermore, we know n[P [T /U ], S] → n[P ′, S′] from
Const. We can thus apply the induction hypothesis to have (κ, σ) �C′
G(T ) n[P ′, S′], and the
postconditions of the theorem hold for C′ because they hold for the induction hypothesis.
(b) Assume (A(T ), n) /∈ C. Then we have (κ, σ) �C∪{(A( eT ),n)},∅G(T ),n P [T /U ] from CFA-Const.
By taking C′ = C∪{(A(T ), n)}, the postconditions of the lemma are fulfilled. Furthermore,
we can apply the induction hypothesis as in (a) to have (κ, σ) �C′′
G(T ) n[P ′, S′].
(2) The proof is by induction on the shape of the derivation tree for N ≡ N ′.
Case Comm. Then N = N1 ‖ N2 and N ′ = N2 ‖ N1.
(κ, σ) �CG(T ) N1 ‖ N2 (by assumption)
thus (κ, σ) �CG(T ) N1 ∧ (κ, σ) �CG(T ) N2 (by CFA-PPar)
thus (κ, σ) �CG(T ) N2 ‖ N1 (by CFA-PPar)
Case Assoc. Then N = N1 ‖ (N2 ‖ N3) and N ′ = (N1 ‖ N2) ‖ N3. The result is
established by four applications of CFA-PPar analogously to case Comm.
Case Refl. Then N = N ′. Nothing to show.
Case Sym. We have (κ, σ) �CG(T ) N by assumption. The induction hypothesis applied to
N ′ ≡ N is
N ′ ≡ N ∧ (κ, σ) �CG(T ) N ′ ⇒ (κ, σ) �C′
G(T ) N
Since C ⊆ C′, (κ, σ) �CG(T ) N , and N ′ ≡ N are true, (κ, σ) �CG(T ) N ′ must be true as well.
Case Trans. We have (κ, σ) �CG(T ) N by assumption and can apply the induction hy-
pothesis first to N ≡ N ′′ to get (κ, σ) �C′′
G(T ) N ′′, and thus a second time to N ′′ ≡ N ′ to
get (κ, σ) �C′
G(T ) N ′.
22
Case Compose. Then N = N1 ‖ N2 and N ′ = N ′1 ‖ N2. We have (κ, σ) �CG(T ) N1 ‖ N2
and with CFA-PPar also (κ, σ) �CG(T ) N1 and (κ, σ) �CG(T ) N2. We can thus apply the
induction hypothesis to N1 ≡ N ′1 to get (κ, σ) �
C′1G(T ) N ′
1. Together with (κ, σ) �CG(T ) N2
we have (κ, σ) �C′
G(T ) N ′1 ‖ N2 as desired with CFA-PPar.
Case Red. We have (κ, σ) �CG(T ) N by assumption and N → N ′ by Red and can apply
Lemma 3.1 (1) to yield (κ, σ) �C′
G(T ) N ′.
Case Par. Then N = n[P1 | P2, S1 ∪ S2] and N ′ = n[P1, S1] ‖ n[P2, S2].
(κ, σ) �CG(T ) n[P1 | P2, S1 ∪ S2] (by assumption)
thus (κ, σ) �C,∅G(T ),n P1 | P2 ∧ ∀ U ∈ S1 ∪ S2. (U, n) ∈ σ (by CFA-Node)
thus (κ, σ) �C,∅G(T ),n P1 ∧ (κ, σ) �C,∅
G(T ),n P2 ∧∀ U ∈ S1. (U, n) ∈ σ ∧ ∀ U ∈ S2. (U, n) ∈ σ (by CFA-Par)
(κ, σ) �CG(T ) n[P1, S1] ‖ n[P2, S2] (by CFA-Node) 2
The following lemma simplifies the proofs of Theorem 3.3 and Theorem 3.4.
Lemma 3.2 For all (A(T ), n) ∈ C let (κ, σ) �C,∅G(T ),n P [T /U ] if A(U) def= P . Then the
following implication holds:
if N(T,n)!−−−→G∈T N ′ and (κ, σ) �CG(T ) N, then (T, n) ∈ κ.
Proof. The proof is by induction on the shape of the derivation tree for N(T,n)!−−−→G∈T N ′.
Considering the label (T, n)!, it suffices to distinguish the following three cases:
Case Out1. Then N = n[out T.P, S]. We have (κ, σ) �CG(T ) n[out T.P, S] by assumption.
We can apply CFA-Node to have (κ, σ) �C,∅G(T ),n out T.P , and then CFA-Out to get
(T, n) ∈ κ.
Case PPar. Then N = N1 ‖ N2. We have (κ, σ) �CG(T ) N1 ‖ N2 by assumption, and
with CFA-PPar thus (κ, σ) �CG(T ) N1 and (κ, σ) �CG(T ) N2. The premises of PPar are
N1(T,n)]1−−−−→G∈T N ′
1 and N2(T,n)]2−−−−→G∈T N ′
2. We know ]1◦]2 = !, hence either ]1 = ! or ]2 = !
by properties of ◦. For the premise labelled (T, n)!, together with either (κ, σ) �CG(T ) N1
or (κ, σ) �CG(T ) N2, whichever is relevant, the induction hypothesis can be applied to give
(T, n) ∈ κ.
Case Struct. We have (κ, σ) �CG(T ) N by assumption. We assume the premises of
Struct, in particular N ≡ M and M(T,n)]−−−−→G∈T M ′. Applying Lemma 3.1 (2) to N ≡ M
and (κ, σ) �CG(T ) N gives (κ, σ) �C′
G(T ) M , and the preconditions of the induction hypothesis
are fulfilled. Thus, the induction hypothesis can be applied to give (T, n) ∈ κ. 2
23
Using Lemma 3.1 and 3.2, we have the following semantic correctness theorem, which
ensures that the analysis estimate is a safe description of what will happen during the
evolution of a network.
Theorem 3.3 (Subject Reduction) For all (A(T ), n) ∈ C let (κ, σ) �C,∅G(T ),n P [T /U ] if
A(U) def= P . Then the following implication holds:
if N(U,m)!−−−−→G∈T N ′ and (κ, σ) �CG(T ) N, then (κ, σ) �C
′
G(T ) N ′,
where C ⊆ C′ and for all (A(T ), n) ∈ C′\C we have (κ, σ) �C′,∅
G(T ),n P [T /U ] if A(U) def= P .
Proof. The proof requires that we consider general labels (U,m)]. We thus show the result
by induction on the shape of the derivation tree for M(U,m)]−−−−→G∈T M ′, where M and M ′
are subterms of N and N ′, respectively.
Case Nil. Then M = M ′ = n[nil, S]. Nothing to show.
Case Out1. Then M = n[out T.P, S] and M ′ = n[P, S]. We have
(κ, σ) �CG(T ) n[out T.P, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n out T.P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus (κ, σ) �C,∅G(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Out)
thus (κ, σ) �CG(T ) n[P, S] (by CFA-Node)
Case Out2. Then M = M ′ = n[out T.P, S]. Nothing to show.
Case In1. Then M = n[in x.P, S] and M ′ = n[P [U/x], S]. By assuming the preconditions
of the theorem, N(U,m)!−−−−→G∈T N ′ and (κ, σ) �CG(T ) N , Lemma 3.2 gives (U,m) ∈ κ (∗).
From the preconditions of In1 we know (m,n) ∈ E(G), and with Equation (1) on page 18
we have (m,n) ∈ E(G(T )) (∗∗).
(κ, σ) �CG(T ) n[in x.P, S] (by assumption)
thus (κ, σ) �C,∅G(T ),n in x.P ∧ ∀ U ∈ S. (U, n) ∈ σ (by CFA-Node)
thus (∀ (U ′,m′) ∈ κ. (m′, n) ∈ E(G(T )) ⇒ (κ, σ) �C,[U ′/x]G(T ),n P )∧
∀ U ∈ S. (U, n) ∈ σ (by CFA-In)
thus ((m,n) ∈ E(G(T )) ⇒ (κ, σ) �C,[U/x]G(T ),n P ) ∧ ∀ U ∈ S. (U, n) ∈ σ (by (∗))
thus (κ, σ) �C,[U/x]G(T ),n P ∧ ∀ U ∈ S. (U, n) ∈ σ (by (∗∗))
thus (κ, σ) �CG(T ) n[P [U/x], S] (by CFA-Node)
Case In2. Then M = M ′ = n[in x.P, S]. Nothing to show.
Case PPar. Then M = M1 ‖ M2 and M ′ = M ′1 ‖ M ′
2. We have (κ, σ) �CG(T ) M1 ‖ M2
by assumption, and with CFA-PPar thus (κ, σ) �CG(T ) M1 and (κ, σ) �CG(T ) M2. We
can use the induction hypothesis twice on M1(U,m)]1−−−−−→G∈T M ′
1 and M2(U,m)]2−−−−−→G∈T M ′
2
24
to have (κ, σ) �C′1G(T ) M ′
1 and (κ, σ) �C′2G(T ) M ′
2, and the postconditions of the induction
hypothesis hold for C′1 and C′2. With CFA-PPar we have (κ, σ) �C′1∪C′2G(T ) M ′
1 ‖ M ′2, and the
postconditions of the theorem hold for C′1 ∪ C′2.
Case Struct. We have (κ, σ) �CG(T ) M by assumption. We assume the preconditions of
Struct: M ≡ L, L(U,m)]−−−−→G∈T L′, and L′ ≡ M ′. By application of Lemma 3.1 (2) to
M ≡ L and (κ, σ) �CG(T ) M we have (κ, σ) �C′′
G(T ) L, and the postconditions of the induction
hypothesis hold for C′′. Hence, we can apply the induction hypothesis on L(U,m)]−−−−→G∈T L′
to have (κ, σ) �C′
G(T ) L′, and the postconditions of the induction hypothesis hold for C′. By
applying Lemma 3.1 (2) again, we have (κ, σ) �C′
G(T ) L′. 2
The two main results describing the contents of a valid analysis estimation almost
directly follow from this subject reduction result. The first result formalises our previous
claim “if the term T may be sent from location n during evolution of a network N , then
(T, n) ∈ κ”.
Theorem 3.4 If N −→∗T N ′ (T,n)!−−−→G∈T N ′′ and (κ, σ) �∅
G(T ) N , then (T, n) ∈ κ.
Proof. We have (κ, σ) �∅G(T ) N by assumption and can thus apply Theorem 3.3 finitely
many times to the derivations N −→∗T N ′ to yield (κ, σ) �CG(T ) N ′. The accumulated
postconditions of the applications of Theorem 3.3 give the preconditions for Lemma 3.2.
With N ′ (T,n)!−−−→G∈T N ′′ we can apply Lemma 3.2 to have (T, n) ∈ κ. 2
The next theorem formalises “if a term T 6= ε may be stored at location n during
evolution of a network N , then (T, n) ∈ σ”.
Theorem 3.5 For T 6= ε, the following implication holds: if N ⇓Tn T and (κ, σ) �∅G(T ) N ,
then (T, n) ∈ σ.
Proof. By induction on the shape of the derivation tree for N ⇓Tn T , which involves only
finitely many applications of Conv-Comm, Conv-Barb, Barb-PPar, Barb-Struct,
and Barb-Store, there exist N ′, N ′′, P, S such that the following statements hold:
N −→∗T N ′ ∧N ′ ≡ N ′′ ‖ n[store T.P, S]
Since we have (κ, σ) �∅G(T ) N by assumption, we can thus apply Theorem 3.3 finitely
many times to the derivations N −→∗T N ′ to yield (κ, σ) �CG(T ) N ′. The accumulated
postconditions of the applications of Theorem 3.3 give the preconditions for Lemma 3.1
(2). We can apply Lemma 3.1 (2) to have (κ, σ) �C′
G(T ) N ′′ ‖ n[store T.P, S]. Furthermore,
by CFA-PPar we have (κ, σ) �C′
G(T ) n[store T.P, S], and we can apply CFA-Store as in
the corresponding case of the proof of Lemma 3.1 (1) to have (T, n) ∈ σ. 2
25
3.4 Implementation
We have implemented our Control Flow Analysis using the Succinct Solver [16], a con-
straint solving tool. Constraints are specified as formulae in a Horn-like fragment of
first-order predicate logic, called Alternation-free Least Fixed Point Logic (ALFP), and
the solver computes interpretations of predicates which satisfy those formulae. The anal-
ysis of Table 7 can almost directly be translated into a generation function for ALFP
formulae, however to achieve a finite universe of values we have to use regular grammars
to represent terms, a technique introduced in [18].
4 Security Analysis of Mobile Wireless Networks
In Section 2 we have presented a calculus particularly suitable to model the behaviour of
mobile wireless networks and Section 3 established a Control Flow Analysis on terms of
this calculus to overapproximate the sets of terms transmitted and stored in a network. In
this section we will show how these results can be combined into a framework for security
analysis of mobile wireless networks.
We start by pointing out differences of secure communication protocols for mobile
wireless networks to the more “traditional” security protocols for authentication, confi-
dentiality and similar properties. We will then describe SAODV-basic, a simplified version
of the combination of the routing protocol AODV [22] and its security extension SAODV
[11]. SAODV-basic motivates the definition of a consistency condition for networks, a
building block for routing security. The condition is based on the notion of mediated
equivalence, developed in Section 2.4, and we show a result relating our analysis estimate
to mediated equivalent networks. Our framework can thus be used for automated security
analysis. We conclude the section with the analysis results for SAODV-basic showing that
the protocol is insecure, and present a simple attack.
4.1 Security Protocols vs. Secure Communication Protocols
In Section 1.1 we have described the main operational characteristics of communication
protocols for mobile wireless networking. Here, we want to clarify their security charac-
teristics. For this purpose, it is helpful to compare them with the more common security
protocols for authentication, confidentiality and similar properties. This is done in the
following with respect to properties and modelling aspects:
Security Properties Security protocols are designed to achieve one or more specific
security properties. In contrast, communication protocols provide network services
which are not related to any kind of security property. Securing such protocols
26
means to ensure that the network service can be provided unconditionally, even in
an adversarial environment.
Security Modelling Security protocols are usually point-to-point, meaning that only
the endpoints of communications are modelled and the environment is replaced by
the Dolev-Yao attacker. For communication protocols, the states of the intermediate
nodes and their connectivity matter and cannot be abstracted away. Consequentially,
the attacker should be limited by the environment conditions as well.
Before applying these insights to the definition of a consistency condition for routing
security in Section 4.3, we will now specify a concrete routing protocol for later analysis
in our framework.
4.2 SAODV-basic
The Ad-hoc On-demand Distance Vector (AODV) protocol [22], also standardised by the
IETF as RFC 3561 [21], is a routing protocol for mobile ad-hoc networks in which a node
tries to find a route to a destination only if needed (on-demand). Its operation is based
on routing tables and requires that each node stores a “vector” of direction (the next hop)
and distance (number of hops) for a particular destination. SAODV [11], in the process
of standardisation by the IETF [10], is a protocol extension of AODV to secure the route
discovery mechanism.
Simplifications. While a full description of AODV and its SAODV extension is be-
yond the scope of this paper, we can illustrate the use of our specification and analysis
framework with SAODV-basic, a much simplified version of the combination of the two
protocols. A main simplification is obtained by only describing route discovery and no
route maintenance; this is straightforward as the two mechanisms are largely independent
of each other. More problematic seems our omission of distance information in routing
tables and messages. However, one may argue that it should be possible to prove correct
the use of direction information independently of distance information. This view is sup-
ported by the fact that SAODV uses a distinct second mechanism (hash chains) to deal
with distance information. While final conclusions for AODV/SAODV can only be drawn
from a full model, we thus have reason to believe that our main results will translate to
the full model.
Operation. In Table 8 we show the main subroutines of SAODV-basic, modelled in
CBS#. We describe the operation of the protocol by referring to this model.
If a node ns (the source) needs to communicate with another node nd (the destination)
for which it has no routing information, ns initiates a route discovery process. A route
discovery comprises the following steps:
27
SendRREQ(dstip, ip) def=out RREQ(dstip, ip, ip,PubKey(ip),
Sign(PrivKey(ip),Tuple(RREQ , dstip, ip,PubKey(ip))))
ReceiveRREQ(ip) def=in RREQ(; dstip, origip, sndip, pubkey , sig).case pubkey of PubKey(origip; )
checksig sig pubkey Tuple(RREQ , dstip, origip, pubkey)store Route(origip, ip, sndip).if dstip = ip then
out RREP(dstip, origip, sndip, ip,PubKey(ip),Sign(PrivKey(ip),Tuple(RREP , dstip, origip,PubKey(ip))))
elseout RREQ(dstip, origip, ip, pubkey , sig)
else nilelse nil
| ReceiveRREQ(ip)
ReceiveRREP(ip) def=in RREP(; dstip, origip, addrip, sndip, pubkey , sig).if addrip = ip then
case pubkey of PubKey(dstip; )checksig sig pubkey Tuple(RREP , dstip, origip, pubkey)
store Route(dstip, ip, sndip).if origip = ip then
nilelse
read Route(origip, ip;nexthop)out RREP(dstip, origip,nexthop, ip, pubkey , sig)
else nilelse nil
else nilelse nil
| ReceiveRREP(ip)
Table 8: Subroutines of SAODV-basic specified in CBS#
Sending RREQs ns initiates the route discovery by broadcasting a route request RREQ
which contains the destination IP address, the source IP address, the IP address of
the immediate sender, the public key of the source, and a signature of message type,
destination IP, source IP, and source public key, with the private key of the source. In
our notation, this amounts to the message RREQ(nd, ns, ns,PubKey(ns), sig), where
sig is Sign(PrivKey(ns),Tuple(RREQ , nd, ns,PubKey(ns))).
Receiving RREQs Every node n receiving a route request RREQ(nd, ns, ni, pubkey , sig)
28
will first check whether the provided public key belongs to the source. For this, the
existence of a Public Key Infrastructure is assumed; this can be modelled elegantly
by using the respective IP address as seed in the public/private key generation. It
will then check whether the source signed the tuple Tuple(RREQ , nd, ns, pubkey)
with its private key. If one of these checks fails, n will abort. Otherwise, it makes an
entry into its routing table to provide a reverse route leading to the source. The entry
reads Route(ns, n, ni) and means that whenever a packet addressed to ns arrives at
n, it will be forwarded to the next hop ni, the immediate sender of the RREQ .
n will then check whether it is the destination itself, i.e. nd = n. If so, the n
will send out a route reply RREP , containing its IP address, the source IP ad-
dress, the IP address of the next hop of the reverse path (the addressee, in our
case the immediate sender ni), its public key, and a signature of the tuple of non-
mutable fields with its private key. RREP(nd, ns, ni, nd,PubKey(nd), sig ′), where sig ′
is Sign(PrivKey(nd),Tuple(RREP , nd, ns,PubKey(nd)))
If nd 6= n, n will rebroadcast the request, changing only the IP address of the
immediate sender to its own IP: RREQ(nd, ns, n,PubKey(ns), sig).
Receiving RREPs Every node n receiving a route reply message
RREP(nd, ns, na, ni, pubkey ′, sig ′) checks whether it is the addressee, i.e. na = n.
This implements a unicast on top of the broadcast, as all nodes will just drop
the message if they are not addressed. Otherwise, n will check whether the
provided public key belongs to the destination, and whether the destination signed
Tuple(RREP , nd, ns, pubkey ′). Again, n will abort on failure of any of these checks.
Otherwise, it makes an entry into its routing table to provide a forward route
leading to the destination, Route(nd, n, ni).
If n was the initiator of the RREQ in the first place, i.e. ns = n, it can now start send-
ing data packets to nd. Otherwise, n retrieves the route table entry Route(ns, n, nx)
for the reverse route to ns from the store to get the next hop nx on the reverse route.
It then rebroadcasts the route reply as RREP(nd, ns, nx, n, pubkey ′, sig ′).
4.3 Security Model for Routing Protocols
From the previous section, we can draw the following conclusions for routing table based
protocols such as SAODV-basic: Every node is a reactive system in the sense that it offers
a discrete interface to the environment and will accept and process any incoming message
matching certain formats. It will thus accept messages of honest nodes and attackers
alike. However, a node will only commit to this information if it updates its routing
table accordingly. The ability of nodes to filter out malicious information at this stage
29
determines the degree of security a protocol is offering. But when can such information be
considered as malicious? A minimal requirement seems to be that the information should
accurately represent the network topology. This leads to the definition of the following
condition.
4.3.1 A Consistency Condition for Routing Networks
We define a consistency mediator cT : T → T such that cT (U) evaluates to ε whenever
the topology is “correctly represented” and to U otherwise. As different routing protocols
will have different data representations for routing information, a formalisation of “correct
representation” is only possible in the context of a particular protocol specification. This
is shown here for SAODV-basic.Definition 4.1 (Consistency Mediator for SAODV-basic)
csaodvT (U) =
ε if for U = Route(nd, n1, n2) there exist
locations n3, . . . , nk such that nk = nd and
∀ i ∈ {1 . . . k − 1}. ∃ G ∈ T . (ni, ni+1) ∈ G
U otherwise
Recall that Route(nd, n1, n2) means in SAODV-basic that packets addressed to nd and
arriving at n1 will be forwarded to n2 as the next hop. The definition then says the
network topology should allow for a path from n1 to nd via n2. Using the notion of a
consistency mediator, we can define the following property for routing networks.
Definition 4.2 (Topology Consistency) For network N and network topology T , let
cT the consistency mediator for N . N is said to be topology consistent if the equivalence
N 'cTT (N ‖ M) holds for any network M .
Note that, from the definition of mediated equivalence, M (representing additional,
possibly malicious nodes) is allowed to store anything since the convergence predicate
is only checked for all n ∈ V (N) ∩ V (N ‖ M) = V (N). However, if interaction of N
with M in network N ‖ M causes inconsistent information to be stored by nodes of N ,
the equivalence in Definition 4.2 cannot be established. Furthermore, the definition does
not imply the topology consistency of N , meaning that faults in the protocol are not
misinterpreted as attacker actions.
4.3.2 Automated Security Analysis
Proving the topology consistency condition by hand is error-prone for large protocols. We
will thus use the analysis framework of Section 3 to establish these results. The following
theorem holds:
30
Theorem 4.3 For all networks N , M and mediators c with c(U) ∈ {ε, U} for all U , the
following implication holds: If (κ, σ) �CG(T ) N ‖ M and ∀ (U,m) ∈ σ. c(U) = ε, then
N 'cT N ‖ M .
Proof. By Definition 2.12, we know N 'cT N ‖ M iff N vc
T N ‖ M and N ‖ M vcT
N . Since c(U) ∈ {ε, U} for all U by assumption, the first inclusion can be proved by
Theorem 2.14.
It remains to show N ‖ M vcT N . By definition of vc
T , where we note that V (N) ∩V (N ‖ M) = V (N), we have to show the following result:
∀ U. ∀ n ∈ V (N). N ‖ M ⇓Tn U ⇒ N ⇓Tn c(U)
To prove this by contradiction, we assume its negation:
∃ U. ∃ n ∈ V (N). N ‖ M ⇓Tn U ∧ ¬(N ⇓Tn c(U))
Since ¬(N ⇓Tn c(U)) it must be that c(U) 6= ε (∗), because N ⇓Tn ε is true for any N .
(∗) allows us to apply Theorem 3.5 to N ‖ M ⇓Tn U and (κ, σ) �CG(T ) N ‖ M , both of
which we have by assumption, to yield (U, n) ∈ σ. However, we know by assumption that
∀ (U ′,m) ∈ σ. c(U ′) = ε, in particular c(U) = ε. This is a contradiction to (∗). 2
4.3.3 Attackers
Assume the set of function symbols F contains the following subsets:
FCom message constructors
F2way 2-way functions
FGen key generation functions
For example, RREQ,RREP ∈ FCom, Tuple ∈ F2way but Sign /∈ F2way. FGen contains
functions which model key generation function for secret keys, thus PrivKey ∈ FGen. They
are treated separately, because they are part of our cryptographic modelling for a public
key infrastructure: to a node with IP address ip we are simply associating the public-
private key pair (PubKey(ip),PrivKey(ip)). Obtaining a public key for ip means applying
PubKey to ip. At the same time, the attacker should not be allowed to apply the private
key function.
31
We can then define an attacker process Pa as follows:
P1(F) def= in F(;x1...xarity(F)).store x1....store xarity(F)
P2(F) def= read x1....read xarity(F).out F(;x1...xarity(F))
P3(F) def= read F(;x1...xarity(F)) store x1....store xarity(F) else nil
P4(F) def= read x1....read xarity(F).store F(;x1...xarity(F))
P5def= read x1.read x2.symdec x1 x2 x store x else nil
P6def= read x1.read x2.asymdec x1 x2 x store x else nil
Padef= (|F∈FCom
P1(F) | P2(F)) | (|F∈F2way P3(F)) |(|F∈F−FGen
P4(F)) | P5 | P6
This follows the Dolev-Yao formalisation in the sense that Pa can
receive messages and add their components to the store,
send messages constructed from the store,
add arguments of 2-way functions to the store,
apply functions to arguments from the store, and
perform decryption if keys are in the store.
Note that P1, P2 range only over functions from FCom, as this is a simple but secure way
to limit the number of terms which have to be generated by the analysis.
However, if we add the attacker to a network N to yield N ‖ na[Pa, {ε}], a major
difference to the Dolev-Yao approach is evident: When the network evolves, the attacker
is just an ordinary node which has to abide by the topology T . In general, the attacker
will neither be able to intercept all messages on the network nor inject messages at all
locations. We believe that this reflects accurately the situation in wireless networks: all
participants have to abide by purely physical restrictions imposed by radio transmission
ranges. In any case, it gives the protocol analyst more freedom, as the classic Dolev-Yao
case can be achieved by a careful modelling of T .
4.4 Analysis Results for SAODV-basic
The analysis of SAODV-basic in a simple scenario shows that the system is indeed not
topology consistent. Using the subroutines of Table 8, we can define the following processes
and nodes:
MsgHdl(ip) def= ReceiveRREQ(ip) | ReceiveRREP(ip)
N1(ip, dstip) def= ip[SendRREQ(dstip, ip) | MsgHdl(ip), {ε}]N2(ip) def= ip[MsgHdl(ip), {ε}]
32
?>=<89:;na
?>=<89:;n1� n2 //�
n2,, ?>=<89:;n2�
n1
oo6
n1rr
At n1 : Route(n2, n1, n2) At n2 : Route(n1, n2, n2)
Route(n2, n1, n1) Route(n1, n2, n1)
Figure 1: Attacker induces topology inconsistency
The message handler MsgHdl represents the main protocol routine. Both N1 and N2 are
parameterised nodes running this process, however N1 is addition given the capability to
initiate a route request. Our scenario then consists of a network of three nodes
Nsaodv = N1(n1, n2) ‖ N2(n2) ‖ na[Pa, {ε}]
where Pa is defined as in Section 4.3.3 and represents the attack process. Furthermore, a
network topology T is defined such that E(G(T )) = {(n1, na), (n2, na)}, thus n1 and n2
are never directly connected.
If (κ, σ) �CG(T ) Nsaodv, then Figure 1 shows the terms contained in σ (computed au-
tomatically by our implementation) and their graphical interpretation. Here, the doubly
dotted line represents the abstract network topology, and labelled arrows represent the
belief of the nodes about the topology. As the attacker can hide the own name by spoofing
sending addresses, the attacker makes n1 and n2 believe that they are directly connected,
which contradicts the topological situation. Thus, the equivalence of Definition 4.2 does
not hold.
As a comparison, Figure 2 shows the analysis for a network of honest nodes
N1(n1, n2) ‖ N2(n2) ‖ N2(n3) with E(G(T )) = {(n1, n3), (n2, n3)}. The network is topol-
ogy consistent, as node n1 correctly believes that there is a route to n2 via n3, and this
holds analogously for node n2.
5 Conclusion
In this paper we have presented the broadcast calculus CBS# and a static analysis to
formally analyse secure mobile wireless networks. While at first glance this setting seems to
resemble traditional security protocol analysis, we have pointed out that its complications
call for new modelling formalisms as well as novel security properties, which are provided
and expressible in our framework.
33
?>=<89:;n3
?>=<89:;n1
;
n2 =={{{{{{{{{ ?>=<89:;n2�
n1aaCCCCCCCCC
At n1 : Route(n2, n1, n3) At n2 : Route(n1, n2, n3)
Figure 2: Topologically consistent network of honest nodes
Several directions for future work suggest themselves: For example, the strength of
the restrained Dolev-Yao attacker needs more investigation, e.g. under which conditions
multiple such attackers are more powerful than a single one and whether a hierarchy of
such attackers can be established. Also, the topology consistency property alone does
not directly imply what one would understand under “routing security”. The challenge
is to find a set of properties implying this goal. Furthermore, it seems there might be a
reasonable margin to improve the precision of our static analysis (and then potentially
prove more properties), for example by refining the topology abstraction by using directed
and weighted graphs.
References
[1] Martın Abadi and Cedric Fournet. Mobile values, new names, and secure communica-
tion. In Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles
of programming languages, pages 104–115. ACM Press, 2001.
[2] Martın Abadi and Andrew D. Gordon. A calculus for cryptographic protocols: The
spi calculus. Inf. Comput., 148(1):1–70, 1999.
[3] Karthikeyan Bhargavan, Davor Obradovic, and Carl A. Gunter. Formal verification
of standards for distance vector routing protocols. J. ACM, 49(4):538–576, 2002.
[4] C. Bodei, M. Buchholtz, P. Degano, F. Nielson, and H. Riis Nielson. Automatic vali-
dation of protocol narration. In 16th IEEE Computer Security Foundations Workshop
(CSFW’03), pages 126–140, Pacific Grove, California, June 2003.
[5] Chiara Bodei, Pierpaolo Degano, Flemming Nielson, and Hanne Riis Nielson. Control
flow analysis for the pi-calculus. In CONCUR ’98: Proceedings of the 9th International
Conference on Concurrency Theory, pages 84–98. Springer-Verlag, 1998.
34
[6] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Transac-
tions on Computer Systems, 8(1), 1990.
[7] Sibusisiwe Chiyangwa and Marta Kwiatkowska. An Analysis of Timed Properties of
AODV. In Proc. 7th IFIP International Conference on Formal Methods for Open
Object-based Distributed Systems (FMOODS’05), 2005.
[8] Christian Ene and Traian Muntean. A broadcast-based calculus for communicating
systems. In 6th International Workshop on Formal Methods for Parallel Program-
ming: Theory and Applications, San Francisco, 2001.
[9] F. Javier Thayer Fabrega, Jonathan Herzog, and Josua D. Guttman. Strand spaces:
Proving security protocols correct. Journal of Computer Security, pages 191–230,
1999.
[10] Manel Guerrero Zapata. Secure Ad hoc On-Demand Distance Vector (SAODV) Rout-
ing. IETF MANET Internet Draft, March 2005.
[11] Manel Guerrero Zapata and N. Asokan. Securing Ad-Hoc Routing Protocols. In
Proceedings of the 2002 ACM Workshop on Wireless Security (WiSe 2002), pages
1–10, 2002.
[12] Y. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing protocol for
ad hoc networks. In The 8th ACM International Conference on Mobile Computing
and Networking, 2002.
[13] David B Johnson and David A Maltz. Dynamic source routing in ad hoc wireless
networks. In Imielinski and Korth, editors, Mobile Computing, volume 353. Kluwer
Academic Publishers, 1996.
[14] Sebastian Nanz and Chris Hankin. Static analysis of routing protocols for ad-hoc
networks. In Proceedings of the 2004 ACM SIGPLAN and IFIP WG 1.7 Workshop
on Issues in the Theory of Security (WITS’04), pages 141–152, 2004.
[15] Sebastian Nanz and Chris Hankin. Formal security analysis for ad-hoc networks.
In Proceedings of the 2004 Workshop on Views on Designing Complex Architectures
(VODCA’04), Electronic Notes in Theoretical Computer Science, 2005.
[16] F. Nielson, H. Riis Nielson, H. Sun, M. Buchholtz, R. Rydhof Hansen, H. Pilegaard,
and H. Seidl. The Succinct Solver Suite. In Proceedings of the 10th International
Conference on Tools and Algorithms for the Construction and Analysis of Systems
(TACAS’04), volume 2988 of Lecture Notes in Computer Science, pages 251–265.
Springer, 2003.
35
[17] Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. Principles of Program
Analysis. Springer, 1999.
[18] H. R. Nielson, F. Nielson, and H. Pilegaard. Spatial analysis of bioambients. In Static
Analysis Symposium (SAS’04), volume 3148 of Lecture Notes in Computer Science,
pages 69–83. Springer Verlag, 2004.
[19] Hanne Riis Nielson and Flemming Nielson. Flow logic: a multi-paradigmatic approach
to static analysis. The essence of computation: complexity, analysis, transformation,
pages 223–244, 2002.
[20] Lawrence C. Paulson. The inductive approach to verifying cryptographic protocols.
Journal of Computer Security, 6:85–128, 1998.
[21] C. Perkins, E. Belding-Royer, and S. Das. Ad hoc On-Demand Distance Vector
(AODV) Routing. IETF RFC 3561, July 2003.
[22] Charles E. Perkins and Elizabeth M. Royer. Ad-hoc On Demand Distance Vector
Routing. In 2nd IEEE Workshop on Mobile Computing Systems and Applications
(WMCSA’99), 1999.
[23] K. V. S. Prasad. A calculus of broadcasting systems. Sci. Comput. Program., 25(2-
3):285–327, 1995.
[24] P. Y. A. Ryan and S. A. Schneider. The Modelling and Analysis of Security Protocols:
the CSP Approach. Addison-Wesley, 2001.
[25] Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, Clay Shields, and Elizabeth M.
Belding-Royer. A secure routing protocol for ad hoc networks. In 10th IEEE Inter-
national Conference on Network Protocols (ICNP’02), Paris, France, 2002.
[26] O. Shivers. Control flow analysis in scheme. In PLDI ’88: Proceedings of the ACM
SIGPLAN 1988 conference on Programming Language design and Implementation,
pages 164–174, New York, NY, USA, 1988. ACM Press.
[27] Oskar Wibling, Joachim Parrow, and Arnold Pears. Automatized verification of ad
hoc routing protocols. In 24th IFIP WG 6.1 International Conference on Formal
Techniques for Networked and Distributed Systems (FORTE 2004), LNCS. Springer,
2004.
[28] Irfan Zakiuddin, Michael Goldsmith, Paul Whittaker, and Paul Gardiner. A Method-
ology for Model-Checking Ad-hoc Networks. In Model Checking Software: 10th In-
ternational SPIN Workshop, volume 2648 of LNCS, pages 181–196. Springer-Verlag,
2003.
36